This October, we celebrate the 20th anniversary of Cybersecurity Awareness Month, an annual event established by the National Cybersecurity Alliance (NCA) to raise awareness for safer online activities. This year emphasizes the importance of password management, multi-factor authentication, software updates, and phishing prevention.
We previously outlined the security challenges that come with poor security culture at organizations. In this blog, we’re addressing another security concern: Shadow IT. If you want to properly protect yourself and your organization against cyber threats, it’s important to understand how shadow IT impacts your security efforts.
Shadow IT refers to software or applications used by employees without the knowledge or approval of their IT or security department. This practice, even if non-malicious, not only limits data visibility but can create vulnerabilities and increase data breach risks as well.
FormAssembly’s CTO Jeff Keating and CIO Jaineesh Davda break down what shadow IT means, its impact on your organization’s security, and how to manage these risky practices in their conversation with Tom Field, Senior Vice President of Editorial with Information Security Media Group. Read on for highlights from their conversation, or watch the full interview at the link below.
What are an organization’s biggest data threats today?
Keating: A lot of times people think it’s an external bad actor who’s trying to hack in. Most likely, it’s internal access that gets granted through some unwitting or well-intentioned internal person. They’re either trying to get something done or answer a phishing email and click on a link. We call it shadow IT — anything that anyone’s doing with an external system that may or may not be under your governance.
Davda: It’s internal and non-malicious, but without knowing the breath and the depth of the action. In most companies in the past six months, most of the breaches had something to do with internal mishandling of credentials or data or uploading something somewhere without IT approval. IT was completely unaware of the actions taken by the employee.
What does Shadow IT entail?
Davda: From an IT perspective as a CIO, what bothers me the most is data integrity, data security, and inventory and cost management. We are in the SaaS business, so it is a little ironic that we make it so easy for everyone to sign up for our software.
Every employee in the company potentially has access to sign up for software without knowing the implications of where the data is being stored, what actions will happen once the data is uploaded, or what integration it is.
Keating: It’s the rogue device on the network or a team within your broader organization that is fairly technical and is going rogue. They know it, you know it, and you’re managing that relationship. That sometimes gets called shadow IT.
It can also be something like, three or four years ago, a platform was highly secure, but missed a needed feature. So, a workaround was put in place to move data to a temporary spot, manipulate it, and then move it back into the platform. I classify those things as a shadow IT arm.
How concerned should security and technology leaders be about shadow IT?
Keating: I’ve got a lot of battle scars because of it. Looking back at my earlier career, I would have given the advice to be on top of this and know about it. Don’t discount it. Include it in the way that you look at your team’s operations, your peer’s team operations, and the security and compliance landscape that you’re trying to build.
Davda: With shadow IT, we don’t know how many data collection softwares or integrations people are using. And that goes back to data classification and awareness or education among employees.
Does shadow IT tie back to poor data management practices?
Keating: Yes. Even if you have good data management practices, you may not be dialed into how your organization is actually operating, what they’re doing, and what they don’t even know they’re doing. It used to be a workaround, and now it’s the main process.
Davda: There are silos in each department. There could be a hundred softwares as a company, and next thing you’re looking at five hundred to a thousand known softwares. Then there’s the added component for unknowns where individuals sign up for something and start using it. Governance is a hard nut to crack.
You don’t want to tap on the shoulder for every single activity everyone does. But you do need to monitor it and feed it back to your data classification, data governance, and all those policies that you wrote.
How do you recommend enterprises protect their data?
Keating: Start with the policies, then implement your procedural framework to support that. It’s diligence that has to be continuously pursued, but done in a way that takes the broader business under consideration, analyzes the risks on a regular cadence, and works at a strategic and operational level across your peers.
Davda: Along with the policies, a data roadmap needs to be present for every single project and undertaking, so you know where the data is going, where it’s integrating, and what’s being done. We invest in a lot of toolsets and data protection services, even file monitoring systems, and are actively pursuing any threats.
This is for employee protection, organization protection, and ultimately doing service to our customers. If you are not secure, how can you certify that the customer’s data is secure?
What are your thoughts on managing and monitoring data access?
Davda: It is pivotal from a compliance standpoint. Think about the regulations that have come in place in recent years. GDPR is the biggest one, then you have NYDFS. And now within the US, a lot of states are coming up with their own data classification and data storage policies.
All these data centers springing up in different cities and zones, you have to be absolutely sure and aware where your data lies, how it flows, where it goes, and when you have access. Is it flowing through a third party vendor or is going through a different country? What are the routes you have to define?
Keating: It’s the inventory and the flow. Then knowing that at any point in that data processing flow, that, the services that you’re using, the systems that you’re interacting with, that they are auditable. You need to know that you’re leveraging something that can satisfy your audit requirements.
Or if it doesn’t, at least you know, and you can build some compensating controls around that. But it’s all about that inventory and about understanding where things are and where they’re going.
How do you see AI tools and large language models impacting the discussion?
Keating: In the context of this, I see it as another endpoint that someone’s excited about using. They may not ask you for permission because they don’t think they need to, and frankly, they might not. Before you know it, you’ve got another vendor you need to manage.
They might be tripping over themselves and actually send some highly classified data of yours externally. You need to be aware of that and not clamp down on it, but certainly not underestimate the potential risks.
Davda: Imagine if a salesperson uploaded a CSV client list. And a person on that list falls under GDPR. We get a request from GDPR to delete their request to be forgotten. Where do we go from there? We can delete it from our systems, but now we have the knowledge that it was uploaded to a third-party system and that elongates the whole process.
We cannot forget it. We have to take action. We have to be compliant. We have to make sure that data is deleted. Whatever action we take with the data we had in our possession has to be complied with.
How do you address shadow IT concerns internally? How do you help customers better handle their data?
Davda: Compliance, competency, and certification. We have worked really hard to get accredited certifications like HIPAA, SOC 2, and ISO 27001. We are even FedRAMP Ready, have PCI certification, and a few other certifications like NYDFS, GDPR, and CCPA. And this is not just getting the certificate. We follow through with this.
We have a separate dedicated security department, which works in conjunction with engineering, product, finance, HR, pretty much the whole company, and the audits are around the clock. We run pen tests all the time. Warranty management, code scanning, you name it.
Keating: It’s part of our DNA at this point. It’s part of onboarding, the regular education and updates, it is our whole conversation. Right? It comes back down to your internal team. Then when you look at what our platform does, it’s intended to help other internal teams do what we’re trying to do ourselves.
Which is stay on top of where your data is, manage the collection and distribution and integration, and do it with a platform that is honorable, compliant, etc. etcetera. We’re practitioners of it, but we’re also providers of this capability to others. Both sides of the coin.
Keep Learning in the Webinar
If you want to hear the full conversation, be sure to watch the on-demand webinar featuring Jeff Keating and Jaineesh Davda.
About the Speakers
Jeff is the Chief Technology Officer at FormAssembly. He brings over 20 years of experience building and managing data-enabled platforms and products in regulated industries, where security, privacy, and compliance are paramount. He has built his perspective while serving in multiple roles from software development and infrastructure management to vulnerability management, and corporate IT while building capabilities to earn, and keep industry accreditations.
Jaineesh is the Chief Information Officer at FormAssembly. He has developed his expertise over 20 years in software infrastructure, architecture, operations, compliance, and security. During that time he has gained a comprehensive perspective on the risks and challenges inherent in digital data collection, as well as solutions to common industry pitfalls.